Beruflich Dokumente
Kultur Dokumente
Classroom Training
Cloud
Learning SubscripFon
Technology
ApplicaFons
Training On Demand
Industries
educa7on.oracle.com
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
Session
Surveys
Help
us
help
you!!
Oracle
would
like
to
invite
you
to
take
a
moment
to
give
us
your
session
feedback.
Your
feedback
will
help
us
to
improve
your
conference.
Please
be
sure
to
add
your
feedback
for
your
aQended
sessions
by
using
the
Mobile
Survey
or
in
Schedule
Builder.
Program
Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
Program
Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
10
11
What
to
do?
Plug
the
portability
holes
Modernize
Contexts
and
Dependency
InjecFon
(CDI)
Intercept
at
Access
Enforcement
Points:
POJO
methods
Lambda Expressions
12
Program
Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
13
14
Represen7ng
Adam Bien
Individual
David Blevins
Tomitribe
Rudy De Busscher
Individual
Ivar Grimstad
Individual
Les Hazlewood
Stormpath, Inc.
Will Hopkins
Oracle
Werner Keil
Individual
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
15
Represen7ng
MaQ Konda
Jemurai
Alex Kosowski
Oracle
Darran Lorhouse
RedHat
Jean-Louis Monteiro
Tomitribe
Ajay Reddy
IBM
RedHat
Arjan Tijms
ZEEF
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
16
17
Early
Drar
Review
Public
Review/RI
Proposed
Final
Drar
Final
Release/
RI/TCK
Q4 2015
Q1 2016
Q3 2016
H1 2017
18
Program
Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
19
Ideas
To
modernize,
standardize,
simplify
Terminology
API
for
AuthenFcaFon
Mechanism
API
for
IdenFty
Store
API
for
Password
Aliasing
API
for
Role/Permission
Assignment
API
for
Security
Context
API
for
AuthorizaFon
Interceptors
20
Ideas
To
modernize,
standardize,
simplify
Role/Permission
Assignment
IdenFty Store
AuthenFcaFon
Mechanism
Security Context
AuthorizaFon
Interceptors
Password
Aliasing
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
21
Ideas
To
modernize,
standardize,
simplify
Terminology
API
for
AuthenFcaFon
Mechanism
API
for
IdenFty
Store
API
for
Password
Aliasing
API
for
Role/Permission
Assignment
API
for
Security
Context
API
for
AuthorizaFon
Interceptors
22
Ideas
-
Terminology
EG
discussions
revealed
inconsistency
in
security
API
terms
Dierent
EE
containers
have
dierent
names
for
the
same
concepts
When
something
gets
authenFcated,
is
that
something
a
A
User?
(e.g.
HQpServletRequest.getUserPrincipal)
A
Caller?
(e.g.
EJBContext.getCallerPrincipal)
What
is
a
group?
A
group
of
users?
A
permission
Vs
Role?
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
23
Ideas
-
Terminology
What
is
that
something
where
idenFFes
are
stored?
security
provider
(WebLogic)
realm
(Tomcat,
some
hints
in
Servlet
spec)
(auth)
repository
(auth)
store
login
module
(JAAS)
idenFty
manager
(Undertow)
authenFcator
(Resin,
OmniSecurity,
Seam
Security)
authenFcaFon
provider
(Spring
Security)
idenFty
provider
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
24
Ideas
To
modernize,
standardize,
simplify
Terminology
API
for
AuthenFcaFon
Mechanism
API
for
IdenFty
Store
API
for
Password
Aliasing
API
for
Role/Permission
Assignment
API
for
Security
Context
API
for
AuthorizaFon
Interceptors
25
Use
Case
API
for
Authen7ca7on
Mechanism
26
Current
SoluFons
API
for
Authen7ca7on
Mechanism
27
JASPIC
Java
AuthenFcaFon
Service
Provider
Interface
for
Containers
JSR
196,
Maintenance
Release
1.1,
in
2013
Standardized,
portable,
thin,
low-level
authenFcaFon
framework
Extensible
from
within
an
applicaFon
Integrates
with
the
container
to
build
an
authenFcated
Subject
Implement
most
authenFcaFon
methods
28
29
30
ServletContextListener
ServerAuthCong
ServerAuthContext
ServerAuthModule
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
31
32
33
34
35
36
37
Possible
uses:
Tracking
number
of
logged-in
users
Tracking
failed
login
aQempts
per
account
Side
eects,
like
creaFng
a
new
local
user
arer
iniFal
successful
authenFcaFon
via
a
remote
authenFcaFon
provider
Loading
applicaFon-specic
user
preferences
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
38
Ideas
To
modernize,
standardize,
simplify
Terminology
API
for
AuthenFcaFon
Mechanism
API
for
IdenFty
Store
API
for
Password
Aliasing
API
for
Role/Permission
Assignment
API
for
Security
Context
API
for
AuthorizaFon
Interceptors
39
Use
Case
API
for
Iden7ty
Store
40
Survey Results
'
'
'
'
Approximately'58%'thought'we'should'add'support'for'password'aliases,'including'the'
ability'to'provision'credentials'along'with'the'application.'
'
70%'thought'that'we'should'standardize'group`to`role'mapping.'
'
53%'thought'we'should'simplify'JASPIC'authentication.'
'
67%'thought'that'we'should'simplify'authorization'and'make'it'more'flexible'by'
introducing'EL`based'authorization'annotations,'introducing'a'capability'more'general'
than'use'of'@RolesAllowed'and'simpler'than'use'of'interceptors'to'do'programmatic'
authorization.'
'
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
65%'thought'we'should'standardize'on'requirements'for'simple'security'providers'and'
41
Current
SoluFons
API
for
Iden7ty
Store
No
Java
EE
support
Only
proprietary
server
support
3rd
party
security
frameworks
provide
user/group
APIs
42
Caller
CredenFals
IdenFtyStore
DB
File
Caller
Name,
Groups
LDAP
43
1) validate
IdenFtyStore
2) returns
CredenFalValidaFonResult
+
getStatus():Status
+
getCallerName():String
+
getCallerGroups():List<String>
44
45
TokenCredenFal
+
getToken():String
BasicAuthenFcaFonCredenFal
Copyright
2015,
Oracle
and/or
its
aliates.
All
rights
reserved.
|
46
Standard
IdenFtyStore
implementaFons
are
annotated
as
CDI
AlternaFves.
implements
JsonFileIdenFtyStore
LdapIdenFtyStore
DatabaseIdenFtyStore
JaasIdenFtyStore
EmbeddedIdenFtyStore
47
48
49
LoginModule
LoginContext
2) login
LoginModule
1)
validate
JaasIdenFtyStore
6) logout
JaasSubjectPrincipalResolver
50
CallerStore
CallerRoleMap
GroupRoleMap
GroupStore
RoleStore
implements
IdenFtyStore
ImplementaFon
51
52
Ideas
To
modernize,
standardize,
simplify
Terminology
API
for
AuthenFcaFon
Mechanism
API
for
IdenFty
Store
API
for
Password
Aliasing
API
for
Role/Permission
Assignment
API
for
Security
Context
API
for
AuthorizaFon
Interceptors
53
Use
Case
API
for
Password
Aliasing
54
Survey Results
names'of'loggers'used'by'the'application'server,'the'format'of'log'files,'and'the'access'to'
log'messages'by'applications.'
'
Of'the'small'fraction'of'participants'who'added'comments,'most'of'these'strongly'urged'
for'improvements'in'logging''either'by'the'revision'of'java.util.logging,'or'replacement'
of'its'use'by'either'slf4j,''slf4j'with'LogBack,'or'log4j.'
'
'
'
Security'
API
for
Password
Aliasing
'
Most'of'the'suggested'improvements'in'the'security'area'received'strong'support.'
'
Should we add support for password aliases (including the ability to provision
credentials along with the application)?
'
55
Current
SoluFons
API
for
Password
Aliasing
No
Java
EE
support
Proprietary
server
support,
e.g.
GlassFish
3rd
party
security
framework
support
for
embedded
password
encrypFon,
not
aliasing
56
57
Cleared
when
done
"mysecret"
58
Password
Alias
Archive
59
60
Ideas
To
modernize,
standardize,
simplify
Terminology
API
for
AuthenFcaFon
Mechanism
API
for
IdenFty
Store
API
for
Password
Aliasing
API
for
Role/Permission
Assignment
API
for
Security
Context
API
for
AuthorizaFon
Interceptors
61
Use
Case
API
for
Role/Permission
Assignment
62
'
'
Security'
Survey Results
'
Most'of'the'suggested'improvements'in'the'security'area'received'strong'support.'
'
Should we add support for password aliases (including the ability to provision
credentials along with the application)?
'
63
Current
SoluFons
API
for
Role/Permission
Assignment
No
Java
EE
support
Only
proprietary
server
support
3rd
party
security
frameworks
provide
role/authority/permission
APIs
64
65
66
JASPIC
3)
Validate
creds
5)
Return
caller,
groups
(i.e.
roles)
1)
App
updates
caller
roles
DB
4)
Query
for
caller
IdenFtyStore
67
Ideas
To
modernize,
standardize,
simplify
Terminology
API
for
AuthenFcaFon
Mechanism
API
for
IdenFty
Store
API
for
Password
Aliasing
API
for
Role/Permission
Assignment
API
for
Security
Context
API
for
AuthorizaFon
Interceptors
68
Use
Case
API
for
Security
Context
69
Current
SoluFons
API
for
Security
Context
No
Java
EE
support
3rd
party
security
frameworks
provide
a
security
context
70
Current
SoluFons
@Singleton
public
class
MyEjb
{
@Resource
private
SessionContext
sessionContext;
public
String
sayHello()
{
if
(sessionContext.isCallerInRole("admin"))
{
return
"Hello
World!";
}
throw
new
SecurityException("User
is
unauthorized.");
}
}
71
Current
SoluFons
public
class
MyServlet
extends
HttpServlet
{
@Override
protected
void
doGet(HttpServletRequest
request,
HttpServletResponse
resp)
throws
ServletException,
IOException
{
if
(request.isUserInRole("admin"))
{
//
do
something
}
throw
new
ServletException("User
is
unauthorized.");
}
}
72
Current
SoluFons
@RequestScoped
public
class
MyCdiBean
{
//
Oh
snap!
No
SecurityContext
class
for
CDI
}
73
Current
SoluFons
public
class
MyJaxRsService
{
@GET
@Produces("text/plain;charset=UTF-8")
@Path("/hello")
public
String
sayHello(@Context
SecurityContext
sc)
{
if
(sc.isUserInRole("admin"))
{
return
"Hello
World!";
}
throw
new
SecurityException("User
is
unauthorized.");
}
}
74
75
76
Ideas
To
modernize,
standardize,
simplify
Terminology
API
for
AuthenFcaFon
Mechanism
API
for
IdenFty
Store
API
for
Password
Aliasing
API
for
Role/Permission
Assignment
API
for
Security
Context
API
for
AuthorizaFon
Interceptors
77
Use
Case
API
for
Authoriza7on
Interceptors
78
Survey Results
'
Only'a'small'fraction'of'respondents'answered'the'open`ended'"If'so,'which?"'part'of'
this'last'question.''Thymeleaf,'Freemarker,'and'Velocity'were'the'most'frequently'
mentioned'here.'
'
'
'
'
CDI'
The'next'four'questions'focused'on'continued'CDI'alignment.''This'was'one'of'the'focus'
areas'of'Java'EE'7.'
'
'
'
79
Current
SoluFons
API
for
Authoriza7on
Interceptors
80
81
82
Ideas
AccessDecisionVoter
A
user-dened
class
for
making
access
decisions
@Secured(AccountAccessDecisionVoter.class)
void
transferFunds()
{..};
83
Ideas
AccessDecisionVoter
public
class
AccountAccessDecisionVoter
implements
AccessDecisionVoter
{
@Override
public
SecurityViolation
checkPermission(AccessDecisionVoterContext
ctx)
{
//
Check
for
violations
Method
method
=
ctx.<InvocationContext>getSource().getMethod();
return
new
SecurityViolation("Sorry,
not
allowed");
}
}
84
Program
Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
85
Get
Involved
Contribute
to
the
JSR!
86
Get
Involved
ARend
related
sessions!
87
Program
Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
88
Q
&
A
JSR
375
EE
Security
API
89
90
91